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Abstract 

The ability of providing and relating temporal representations at different 'grain levels' 
of the same reality is an important research theme in computer science and a major re- 
quirement for many applications, including formal specification and verification, temporal 
databases, data mining, problem solving, and natural language understanding. In particu- 
lar, the addition of a granularity dimension to a temporal logic makes it possible to specify 
in a concise way reactive systems whose behaviour can be naturally modeled with respect 
to a (possibly infinite) set of differently-grained temporal domains. 

Suitable extensions of the monadic second-order theory of k successors have been pro- 
posed in the literature to capture the notion of time granularity. In this paper, we provide 
the monadic second-order theories of downward unbounded layered structures, which are 
infinitely refinable structures consisting of a coarsest domain and an infinite number of 
finer and finer domains, and of upward unbounded layered structures, which consist of a 
finest domain and an infinite number of coarser and coarser domains, with expressively 
complete and elementarily decidable temporal logic counterparts. 

We obtain such a result in two steps. First, we define a new class of combined au- 
tomata, called temporalized automata, which can be proved to be the automata-theoretic 
counterpart of temporalized logics, and show that relevant properties, such as closure un- 
der Boolean operations, decidability, and expressive equivalence with respect to temporal 
logics, transfer from component automata to temporalized ones. Then, we exploit the cor- 
respondence between temporalized logics and automata to reduce the task of finding the 
temporal logic counterparts of the given theories of time granularity to the easier one of 
finding temporalized automata counterparts of them. 



1 Introduction 

Time granularity is an important, but not always well-understood, research theme in 
computer science. To acquaint the reader with the basics of the subject, we start the 
paper with a gentle introduction to research on time granularity. In Section 1.1, we 
briefly illustrate the intersection of research on time granularity with different areas 
of computer science, ranging from system specification and verification to natural 
language understanding, and we give a high-level view of the logical approach to 
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the problem of representing and reasoning about time granularity that we follow 
in the paper. In Section 1.2, we focus on the topics addressed in the paper, and 
we outline its main contributions. In Section 1.3, we show that the considered 
topics present interesting connections with a number of issues relevant to various 
research directions in computer science logic, including real-time logics, interval 
logics, and combined logics. We conclude the introduction by a short description of 
the organization of the rest of the paper. 

1.1 Representing and reasoning about time granularity 

The ability of providing and relating temporal representations at different 'grain 
levels' of the same reality is an important research theme in various fields of com- 
puter science, including formal specification and verification, temporal databases, 
data mining, problem solving, and natural language understanding. As for formal 
specifications, there exists a large class of reactive systems whose components have 
dynamic behavior regulated by very different time constants (granular reactive sys- 
tems). A good specification language must enable one to specify and verify the 
components of a granular reactive system and their interactions in a simple and 
intuitively clear way (Ciapessoni et al. 1993; Corsetti et al. 1991; Corsetti et al. 
1991; Fiadeiro and Maibaum 1994; Lamport 1985; Montanari et al. 2002; Monta- 
nari et al. 1999; Montanari et al. 2000; Montanari and Policriti 1996). As for tempo- 
ral databases, the common way to represent temporal information is to timestamp 
cither attributes [attribute timestamping) or tuples/objects (tuple-timestamping) . 
Timcstamping is performed taking time values over some fixed granularity. How- 
ever, it may happen that differently-grained timcstamps arc associated with differ- 
ent data. This is the case, for instance, when information is collected from distinct 
sources which are not under the same control. Moreover, users and application pro- 
grams may require the flexibility of viewing and querying temporal data at different 
time granularities. To guarantee consistency cither the data must be converted into 
a uniform granularity-independent representation or temporal database operations 
must be generalized to cope with data associated with different temporal domains. 
In both cases, a precise semantics for time granularity is needed (Bettini et al. 
1997; Chandra et al. 1994; Combi and Pozzi 2001; Dyreson and Snodgrass 1995; 
Jajodia et al. 1993; Jajodia et al. 1995; Montanari and Pernici 1993; Ning et al. 
2002; Niezette and Stcvcnnc 1993; Segev and Chandra 1993; Wijscn 1998; Wijsen 
1999). With regard to data mining, a huge amount of data is collected every day 
in the form of event-time sequences. These sequences represent valuable sources of 
information, not only for what is explicitly recorded, but also for deriving implicit 
information and predicting the future behavior of the monitored process. This lat- 
ter activity requires an analysis of the frequency of certain events, the discovery 
of their regularity, and the identification of sets of events that are linked by par- 
ticular temporal relationships. Such frequencies, regularity and relationships are 
often expressed in terms of multiple granularities, and thus analysis and discovery 
tools must be able to cope with them (Agrawal and Srikant 1995; Bettini et al. 
1998; Bettini et al. 1996b; Dreyer et al. 1994; Mannila et al. 1995). With regard 
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to problem solving, several problems in scheduling, planning, and diagnosis can 
be formulated as temporal constraint satisfaction problems provided with a time 
granularity dimension. Variables arc used to represent events occurring at different 
time granularities and constraints are used to represent temporal relations between 
events (Bcttini ct al. 1996a; Cukicrman and Delgrande 1998; Euzenat 1995; Lad- 
kin 1987; Montanari et al. 1992; Mota and Robertson 1996; Poesio and Brachman 
1991; Shahar 1996). Finally, shifts in the temporal perspective are common in nat- 
ural language communication, and thus the ability of supporting and relating a 
variety of temporal models, at different grain sizes, is a relevant feature for the task 
of natural language processing (Blackburn and Bos 2003; Foster ct al. 1986; Fum 
ct al. 1989; Kamp and Schiehlen 2001). 

According to a commonly accepted perspective, any time granularity can be 
viewed as the partitioning of a temporal domain in groups of elements, where each 
group is perceived as an indivisible unit (a granule). A representation formalism 
can then use these granules to provide facts, actions or events with a temporal 
qualification, at the appropriate abstraction level. However, adding the concept of 
time granularity to a formalism does not merely mean that one can use different 
temporal units to represent temporal quantities in a unique flat model, but it in- 
volves semantic issues related to the problem of assigning a proper meaning to the 
association of statements with the different temporal domains of a layered model 
and of switching from one domain to a coarser/finer one. 

Different approaches to represent and to reason about time granularity have been 
proposed in the literature. In the following, we introduce the distinctive features of 
the logical approach to time granularity 1 . In the logical setting, the different time 
granularities and their interconnections are represented by means of mathematical 
structures, called layered structures. A layered structure consists of a possibly infi- 
nite set of related differently-grained temporal domains. Such a structure identifies 
the relevant temporal domains and defines the relations between time points belong- 
ing to different domains. Suitable operators make it possible to move horizontally 
within a given temporal domain (displacement operators), and to move vertically 
across temporal domains (projection operators). Both classical and temporal logics 



1 In (Franceschet and Montanari 2002) we analyze alternative approaches to time granularity, 
developed in the context of temporal databases, and we compare them with the logical one. 
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Fig. 2. The 2-refinable downward unbounded layered structure. 

can be interpreted over the layered structure. Logical formulas allow one to spec- 
ify properties involving different time granularities in a single formula by mixing 
displacement and projection operators. Algorithms are provided to verify whether 
a given formula is consistent (satisfiability checking) as well as to check whether a 
given formula is satisfied in a particular structure (model checking). The logical ap- 
proach to represent time granularity has been mostly applied in the field of formal 
specification and verification of concurrent systems. An application of time granu- 
larity logics to the specification of a supervisor that automates the activities of a 
high voltage station, devoted to the end user distribution of the energy generated 
by power plants, has been accomplished in collaboration with Automation Research 
Center of the Electricity Board of Italy (ENEL). A short account of this work has 
been given in (Ciapessoni et al. 1993). Logics for time granularity have also been 
applied to the specification of real-time monitoring systems (Corsetti et al. 1991), 
mobile systems (Franceschet et al. 2000), and therapy plans in clinical medicine 
(Combi et al. 2002). 

A systematic logical framework for time granularity, based on a many-level view 
of temporal structures, with matching logics and decidability results, has been pro- 
posed in (Montanari 1996; Montanari and Policriti 1996; Montanari et al. 1999) and 
later extended in (Franceschet 2002; Franceschet and Montanari 2001a; Franceschet 
and Montanari 2001b; Franceschet and Montanari 2003). Layered structures with 
exactly n > 1 temporal domains such that each time point can be refined into 
k > 2 time points of the immediately finer temporal domain, if any, are called 
/c-rcfinablc n- layered structures (n-LSs for short, see Figure 1). They have been 
investigated in (Montanari and Policriti 1996), where a classical second-order lan- 
guage, with second-order quantification restricted to monadic predicates, has been 
interpreted over them. The language includes a total order < and k projection func- 
tions 4oj • • • > ife-i ov cr the layered temporal universe such that, for every point x, 
lo(x), . . . , lk-i( x ) are the k elements of the immediately finer temporal domain, 
if any, into which x is refined. The satisfiability problem for the monadic second- 
order language over n-LSs has been proved to be decidable by using a reduction to 
the emptiness problem for Biichi sequence automata. Unfortunately, the decision 
procedure has a nonelementary complexity 

Layered structures with an infinite number of temporal domains, w-layered struc- 
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tures, have been studied in (Montanari et al. 1999). In particular, the authors 
investigated k-refinable downward unbounded layered structures (DULSs), that is, 
w-layered structures consisting of a coarsest domain together with an infinite num- 
ber of finer and finer domains (see Figure 2), and k-refinable upward unbounded 
layered structures (UULSs), that is, w-layered structures consisting of a finest tem- 
poral domain together with an infinite number of coarser and coarser domains (see 
Figure 3). A classical monadic second-order language, including a total order < 
and k projection functions | , . . . , | fc _ 1 , has been interpreted over both UULSs and 
DULSs. The decidability of the monadic second-order theories of UULSs and DULSs 
has been proved by reducing the satisfiability problem to the emptiness problem for 
systolic and Rabin tree automata, respectively. In both cases the decision procedure 
has a nonelementary complexity 



1.2 Our contributions 

Monadic logics for time granularity arc quite expressive, but, unfortunately, they 
have few computational appealing: their decision problem is indeed nonelementary. 
This roughly means that it is possible to algorithmically check satisfiability, but the 
complexity of the algorithm grows very rapidly and cannot be bounded. Moreover, 
the corresponding automata (Buchi sequence automata for the theory of finitely- 
layered structures, Rabin tree automata for downward unbounded structures, and 
systolic tree automata for upward unbounded ones) do not directly work over lay- 
ered structures, but rather over collapsed structures into which layered structures 
can be encoded. Hence, they arc not natural and intuitive tools to specify and check 
properties of time granularity. 

In this paper, we follow a different approach. Taking inspiration from combina- 
tion methods for temporal logics, we start by studying how to combine automata 
in such a way that properties of the components are inherited by the combination. 
Then, we reinterpret layered structures as combined structures. This intuition re- 
veals to be the keystone of our endeavor. Indeed, it allows us to define combined 
temporal logics and combined automata over layered structures, and to study their 
expressive power and computational properties by taking advantage of the transfer 
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Fig. 4. From monadic theories to (temporalized) logics via (temporalized) automata. 

theorems for combined logics and combined automata. The outcome is appealing: 
the resulting combined temporal logics and automata directly work over layered 
structures. Moreover, they are expressively equivalent to monadic languages, and 
they are elementarily decidable. 

Finding the temporal logic counterpart of monadic theories is a difficult task, in- 
volving a nonclcmentary blow up in the length of formulas. Ehrcnfcucht games have 
been successfully exploited to deal with such a correspondence problem for first- 
order monadic theories (Immerman and Kozcn 1989) and well-behaved fragments of 
second-order ones, e.g. the path fragment of the monadic second-order theory of infi- 
nite binary trees (Hafer and Thomas 1987). As for the theories of time granularity, 
by means of suitable applications of Ehrenfeucht games, we obtained an expres- 
sively complete and elementarily decidable combined temporal logic counterpart of 
the path fragment of the monadic second-order theory of DULSs (Franceschet and 
Montanari 2003), while Montanari et al. extended Kamp's theorem to deal with the 
first-order fragment of the theory of UULSs (Montanari et al. 2002). Unfortunately, 
these techniques produce rather involved proofs and do not naturally lift to the full 
second-order case. 

In this paper, instead of trying to establish a direct correspondence between 
monadic second-order theories for time granularity and temporal logics, we con- 
nect them via automata (cf. Figure 4). Firstly, we define a new class of combined 
automata, called temporalized automata, which can be proved to be the automata- 
theoretic counterpart of temporalized logics, and show that relevant properties, 
such as closure under Boolean operations, decidability, and expressive equivalence 
with respect to temporal logics, transfer from component automata to temporalized 
ones. Then, on the basis of the established correspondence between temporalized 
logics and automata, we reduce the task of finding a temporal logic counterpart of 
the monadic second-order theories of DULSs and UULSs to the easier one of finding 
a temporalized automata counterpart of them. The mapping of monadic formulas 
into automata (the difficult direction) can indeed greatly benefit from automata 
closure properties. 
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As a by-product, the alternative characterization of temporalized logics for time 
granularity as temporalized automata allows one to reduce logical problems to au- 
tomata ones. As it is well-known in the area of automated system specification and 
verification, such a reduction presents several advantages, including the possibility 
of using automata for both system modeling and specification, and the possibility 
of checking the system on-the-fly (a detailed account of these advantages can be 
found in (Franceschet and Montanari 2001b)). 

1.3 Related fields 

The original motivation of our research was the design of a temporal logic embed- 
ding the notion of time granularity, suitable for the specification of complex concur- 
rent systems whose components evolve according to different time units. However, 
we soon established a fruitful complementary point of view on time granularity: it 
can be regarded as a powerful setting to investigate the definability of meaningful 
timing properties over a single time domain. Moreover, layered structures and log- 
ics provide an interesting embedding framework for flat real-time structures and 
logics, as well as there exists a natural link between structures and theories of time 
granularity and those developed for representing and reasoning about time inter- 
vals. Finally there are significant similarities between the problems we encountered 
in studying time granularity and those addressed by current research on combin- 
ing logics, theories, and structures. In the following, we briefly explain all these 
connections. 

Granular reactive systems. As pointed out above, we were originally motivated by 
the design of a temporal logic embedding the notion of time granularity suitable 
for the specification of granular reactive systems. A reactive system is a concurrent 
program that maintains and interaction with the external environment and that 
ideally runs forever. Temporal logic has been successfully used for modeling and 
analyzing the behavior of reactive systems (Emerson 1990). It supports semantic 
model checking, which can be used to check specifications against system behav- 
iors; it also supports pure syntactic deduction, which may be used to verify the 
consistency of specifications. Finite-state automata, such as Biichi sequence au- 
tomata and Rabin tree automata (Thomas 1990), have been proved very useful in 
order to provide clean and asymptotically optimal satisfiability and model checking 
algorithms for temporal logics (Kupfcrman et al. 2000; Vardi and Wolper 1994) 
as well as to cope with the state explosion problem that frightens concurrent sys- 
tem verification (Courcoubetis et al. 1991; Jard and Jeron 1989; Vardi and Wolper 
1986). 

A granular reactive systems is a reactive system whose components have dynamic 
behaviours regulated by very different time constants (Montanari 1996). As an ex- 
ample, consider a pondage power station consisting of a reservoir, with filling and 
emptying times of days or weeks, generator units, possibly changing state in a few 
seconds, and electronic control devices, evolving in microseconds or even less. A 
complete specification of the power station must include the description of these 
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components and of their interactions. A natural description of the temporal evolu- 
tion of the reservoir state will probably use days: "During rainy weeks, the level of 
the reservoir increases 1 meter a day" , while the description of the control devices 
behaviour may use microseconds: "When an alarm comes from the level sensors, 
send an acknowledge signal in 50 microseconds". We say that systems of such a 
type have different time granularities. It is somewhat unnatural, and sometimes 
impossible, to compel the specifier to use a unique time granularity, microseconds 
in the previous example, to describe the behaviour of all the components. A good 
language must indeed allow the specifier to easily describe all simple and intuitively 
clear facts (naturalness of the notation). Hence, a specification language for gran- 
ular reactive systems must support different time granularities to allow one (i) to 
maintain the specifications of the dynamics of differently-grained components as 
separate as possible (modular specifications), (ii) to differentiate the refinement de- 
gree of the specifications of different system components (flexible specifications), 
and (iii) to write complex specifications in an incremental way by refining higher- 
level predicates associated with a given time granularity in terms of more detailed 
ones at a finer granularity (incremental specifications). 

Definability of meaningful timing properties. Time granularity can be viewed not 
only as an important feature of a representation language, but also as a formal 
tool to investigate the definability of meaningful timing properties, such as density 
and exponential grow/decay, over a single time domain (Montanari et al. 1999). 
In this respect, the number of layers (single vs. multiple, finite vs. infinite) of the 
underlying temporal structure, as well as the nature of their interconnections, play 
a major role: certain timing properties can be expressed using a single layer; others 
using a finite number of layers; others only exploiting an infinite number of layers. 
For instance, temporal logics over binary 2-layered structures suffice to deal with 
conditions like "P holds at all even times of a given temporal domain" that can- 
not be expressed using flat propositional temporal logics (Wolper 1983). Moreover, 
temporal logics over w-layered structures allow one to express relevant properties of 
infinite sequences of states over a single temporal domain that cannot be captured 
by using flat or n-layered temporal logics. For instance, temporal logics over k- 
refinable UULSs allow one to express conditions like "P holds at all time points k l , 
for all natural numbers i, of a given temporal domain", which cannot be expressed 
by using either propositional or quantified temporal logics over a finite number of 
layers, while temporal logics over DULSs allow one to constrain a given property 
to hold true 'densely' over a given time interval. 

On the relationship with real-time logics. Layered structures and logics can be re- 
garded as an embedding framework for flat real-time structures and logics. A real- 
time system is a reactive system with well-defined fixed-time constraints. Systems 
that control scientific experiments, industrial control systems, automobile-engine 
fuel- inject ion systems, and weapon systems are examples of real-time systems. Ex- 
amples of quantitative timing properties relevant to real-time systems are periodic- 
ity, bounded responsiveness, and timing delays. Logics for real-time systems, called 
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real-time logics, are interpreted over timed state sequences, that is, state sequences 
in which every state is associated with a time instant. 

Montanari et al. showed that the second-order theory of timed state sequences 
can be properly embedded into the second-order theory of binary UULSs as well as 
into the second-order theory of binary DULSs (Montanari et al. 2000). The increase 
in expressive power of the embedding frameworks makes it possible to express and 
check additional timing properties of real-time systems, which cannot be dealt with 
by the classical theory. For instance, in the theory of timed state sequences, saying 
that a state s holds true at time i can be meant to be an abstraction of the fact that 
state s can be arbitrarily placed in the time interval + 1). The stratification of 
domains in layered structures naturally supports such an interval interpretation and 
gives means for reducing the uncertainty involved in the abstraction process. For 
instance, it allows on to say that a state s belongs to the first (respectively, second) 
half of the time interval [i, i + 1). More generally, the embedding of real-time logics 
into the granularity framework allows one to deal with temporal indistinguisha- 
bility of states (two or more states associated with the same time) and temporal 
gaps between states (a nonempty time interval between the time associated to two 
contiguous states). Temporal indistinguishability and temporal gaps can indeed be 
interpreted as phenomena due to the fact that real-time logics lack the ability to 
express properties at the right (finer) level of granularity: distinct states, associated 
with the same time, can always be ordered at the right level of granularity; simi- 
larly, time gaps represent intervals in which a state cannot be specified at a finer 
level of granularity. A finite number of layers is obviously not sufficient to capture 
timed state sequences: it is not possible to fix a priori any bound on the granularity 
that a domain must have to allow one to temporally order a given set of states, and 
thus we need to have an infinite number of temporal domains at our disposal. 

On the relationship with interval logics. As pointed out in (Montanari 1996), there 
exists a natural link between structures and theories of time granularity and those 
developed for representing and reasoning about time intervals. Differently-grained 
temporal domains can indeed be interpreted as different ways of partitioning a 
given discrete/dense time axis into consecutive disjoint intervals. According to this 
interpretation, every time point can be viewed as a suitable interval over the time 
axis and projection implements an intcrvals-subintervals mapping. More precisely, 
let us define direct constituents of a time point x, belonging to a given domain, the 
time points of the immediately finer domain into which x can be refined, if any, 
and indirect constituents the time points into which the direct constituents of x can 
be directly or indirectly refined, if any. The mapping of a given time point into its 
direct or indirect constituents can be viewed as a mapping of a given time interval 
into (a specific subset of) its subintervals. 

The existence of such a natural correspondence between interval and granularity 
structures hints at the possibility of defining a similar connection at the level of 
the corresponding theories. For instance, according to such a connection, temporal 
logics over DULSs allow one to constrain a given property to hold true densely over 
a given time interval, where P densely holds over a time interval w if P holds over w 
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and there exists a direct constituent of w over which P densely holds. In particular, 
establishing a connection between structures and logics for time granularity and 
those for time intervals would allow one to transfer decidability results from the 
granularity setting to the interval one. As a matter of fact, most interval temporal 
logics, including Moszkowski's Interval Temporal Logic (ITL) (Moszkowski 1983), 
Halpern and Shoham's Modal Logic of Time Intervals (HS) (Halpern and Shoham 
1991), Venema's CDT Logic (Venema 1991), and Chaochen and Hansen's Neigh- 
borhood Logic (NL) (Zhou and Hansen 1998), are highly undecidable. Decidable 
fragments of these logics have been obtained by imposing severe restrictions on 
their expressive power, e.g., the locality constraint in (Moszkowski 1983). 

Preliminary results can be found in (Montanari et al. 2002), where the authors 
propose a new interval temporal logic, called Split Logic (SL for short), which is 
equipped with operators borrowed from HS and CDT, but is interpreted over spe- 
cific interval structures, called split- frames . The distinctive feature of a split-frame 
is that there is at most one way to chop an interval into two adjacent subintervals, 
and consequently it does not possess all the intervals. They prove the decidability of 
SL with respect to particular classes of split-frames which can be put in correspon- 
dence with the first-order fragments of the monadic theories of time granularity. 
In particular, discrete split-frames with maximal intervals correspond to finitely 
layered structures, discrete split-frames (with unbounded intervals) can be mapped 
into upward unbounded layered structures, and dense split-frames with maximal 
intervals can be encoded into downward unbounded layered structures. 

The combining logic perspective. There arc significant similarities between the prob- 
lems we addressed in the time granularity setting and those dealt with by current 
research on logics that model changing contexts and perspectives. The design of 
these types of logics is emerging as a relevant research topic in the broader area 
of combination of logics, theories, and structures, at the intersection of logic with 
artificial intelligence, computer science, and computational linguistics (Gabbay and 
dc Rijke 2000). The reason is that application domains often require rather com- 
plex hybrid description and specification languages, while theoretical results and 
implemcntable algorithms are at hand only for simple basic components (Gabbay 
et al. 2003). As for granular reactive systems, their operational behavior can be 
naturally described as a suitable combination of temporal evolutions (sequences of 
component states) and temporal refinements (mapping of a component state into 
a finite sequence of states belonging to a finer component). According to such a 
point of view, the model describing the operational behavior of the system and the 
specification language can be obtained by combining simpler models and languages, 
respectively, and model checking/satisfiability procedures for combined logics can 
be used. 

From the above discussion, it turns out that the time granularity framework is 
expressive and flexible enough to be used to investigate many interesting topics 
not explicitly related to time granularity. The aim of this paper is to deepen our 
understanding of time granularity. The rest of the paper is organized as follows. 



Temporalized logics and automata for time granularity 



11 



In Section 2, we introduce temporalized automata and we show that relevant logi- 
cal properties, such as closure under Boolean operations and decidability, transfer 
from component automata to temporalized ones; furthermore, we prove that tem- 
poralized automata are as expressive as temporalized logics. In Section 3 we exploit 
temporalized automata to find the temporal logic counterparts of the given theories 
of time granularity. Temporalized automata for the theories of DULSs and UULSs 
are obtained as combinations of Biichi and Rabin automata and of Biichi and finite 
tree automata, respectively. As a matter of fact, unlike the case of DULSs, the com- 
bined model we use to encode an UULS differs from that of pure temporalization 
since the innermost submodels are not independent from the outermost top-level 
model. In Section 4, we apply temporalized logics to a real-world case study. Con- 
clusive remarks provide an assessment of the work done and outline some future 
research directions. 

2 Temporalized logics and automata 

In this section we recall the definition of temporalization and we define temporal- 
ized automata 2 . Moreover, we prove the equivalence of temporalized automata and 
temporalized logics. We will take into consideration the following well-known tem- 
poral logics: Propositional Linear Temporal Logic (PLTL), Quantified Linear Tem- 
poral Logic (QLTL), Existentially Quantified Linear Temporal Logic (EQLTL), Di- 
rected Computational Tree Logic (CTL£), Quantified Directed Computational Tree 
Logic (QCTL£), and Existentially Quantified Directed Computational Tree Logic 
(EQCTLJJ); moreover, we will take advantage of the following well-known finite- 
state automata classes: Biichi sequence automata, Rabin tree automata, finite tree 
automata. 

Let V = {P, Q, . . .} be a set of proposition letters. We consider temporal logics 
over the set of propositional letters V. Given a temporal logic T, we use Ct and 
Kt to denote the language and the set of models of T, respectively. Furthermore, 
we write OP(T) to denote the set of temporal operators of T. 

Temporalization is a simple form of logic combination that embeds one component 
logic into the other (Finger and Gabbay 1992). Let T be a temporal logic and L 
an arbitrary logic. For the sake of simplicity, we constrain L to be an extension of 
propositional logic. We partition the set of L-formulas into Boolean combinations 
BC'i_, and monolithic formulas MLi,: a belongs to BCj_, if its outermost operator 
is a Boolean connective; otherwise it belongs to MLj_,. We assume that OP(T) n 
OP(L) = 0. 

Definition 2.1 

(Temporalization - Syntax) 

The language £t(L) 01 the temporalization T(L) of L by means of T over the set of 

2 We assume the reader to be familiar with basic concepts of modal and temporal logics, and au- 
tomata. If this is not the case, comprehensive surveys are given in (Emerson 1990) and (Thomas 
1990), respectively. 
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proposition letters V is obtained by taking the set of formation rules of Ct and by 
replacing the atomic formation rule: "every proposition letter P £ V is a formula" 
by the rule: "every monolithic formula a £ Cj_, is a formula" . □ 

As an example, let Ti and T2 be two temporal logics, and let {Fi,Gi} (resp. 
{F2,G2}) be the temporal operators of Ti (resp. T2). The formula F1G2P is a 
Ti(T2)-formula, while the formula F1G2P <-> G2F1P is not. 

A model for T(L) is a triple (W,1Z, g), where (W,1Z) is a frame for T and g : 
W — > Kl a total function mapping worlds in W to models for L. 

Definition 2.2 

(Tcmporalization - Semantics) 

Given a model M. = (W, 7£, g) and a state w £ W, the semantics of the temporalized 
logic T(L) is obtained by taking the set of semantic clauses of T and by replacing 
the clause for proposition letters: "M,w |= P if and only if P £ V(w), whenever 
P £ P" by the clause: "M, w (= a if and only if g(w) ct, whenever a £ ML\]\ 
□ 

Hereafter, we will restrict our attention to temporalized logics such that both the 
embedding and the embedded logics are temporal logics. 

We now introduce a new class of combined automata, called temporalized au- 
tomata, which can be viewed as the automata-theoretic counterpart of temporal- 
ized logics, and show that relevant properties, such as closure under Boolean op- 
erations, decidability, and expressive equivalence with respect to temporal logics, 
transfer from component automata to temporalized ones. We first define automata 
and prove results over sequence structures; then, we generalize definitions and re- 
sults to tree structures (as a matter of fact, we believe that our machinery can 
actually be extended to cope with more general structures, such as graphs). We 
will use the following general definition of sequence automata. Let £ = {a, b, . . .} 
be a finite alphabet and let <S(£) be the set of S-labeled infinite sequences, that 
is, structures of the form (N, <,V), where (N, <) is the set of natural numbers, 
together with the usual ordering relation, and V : N — > £ is a valuation function 
mapping natural numbers into symbols in £. 

Definition 2.3 
(Sequence automata) 

A sequence automaton A over S consists of (i) a Labeled Transition System (Q, qo, A, 
M, f2), where Q is a finite set of states, qo £ Q is the initial state, A C Q x S x Q 
is a transition relation, f2 is a finite alphabet, and M C Q x fi is a labeling of 
states, and (ii) an acceptance condition AC. Given a S-labeled infinite sequence 
w = (N, <, V), a run of A on w is a function a : N — > Q such that <r(0) = go and 
(cr(i), V(i), a(i + 1)) £ A, for every i > 0. The automaton A accepts w if there is a 
run a of A on w such that AC (a), i.e., the acceptance condition holds on a. The 
language accepted by A, denoted by C(A), is the set of E-labeled infinite sequences 
accepted by .4. □ 
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A class of sequence automata A is a set of automata that share the acceptance 
condition AC (we do not explicitly specify the acceptance condition for sequence 
automata since, as we will see, all the achieved results do not rest on any specific 
acceptance condition). An example of a class of sequence automata is the class of 
Biichi automata. 

Example 2.4 
(Biichi automata) 

A Biichi automaton is a sequence automaton A = (Q, qo, A, M, f2) such that f2 = 
{final}. We call final a state q such that (q, final) G M. The acceptance condition 
for A states that A accepts a E-labeled infinite sequence w if and only if there is a 
run a of A on w such that some final state occurs infinitely often in a. □ 

Temporalized automata over sequence structures can be defined as follows. Let 
Ai be a class of sequence automata which accept sequences in 5(E); moreover, let 
L(E) be a finite alphabet whose symbols A,B,... denote automata in A2, and let 
Ai be a class of sequence automata which accept (r(E)-labeled infinite) sequences 
in 5(r(E)). Given Ai and Ai as above, we define a class of temporalized automata 
A\{A2) that combine the two component classes of automata in a suitable way. 
Let 5(5(E)) be the set of infinite sequences of E-labeled infinite sequences, that 
is, temporalized models (N, <,g) where g : N — > 5(E) is a total function map- 
ping elements of N into sequences in 5(E). Automata in Ai(A-y) accept objects in 
5(5(E)). The class of temporalized automata Ai(A2) is formally defined as follows. 

Definition 2.5 
(Temporalized automata) 

A temporalized automaton A over T(E) is a quintuple (Q, qo, A, M, f2) as for se- 
quence automata (Definition 2.3). The combined acceptance condition for A is de- 
fined as follows. Given w = (N, <,<?) G 5(5(E)), a run of A on w is function 
<7 : N — > Q such that er(0) = qo and, for every % > 0, (<r(i),B,a(i + 1)) G A for 
some B G T(E) such that g(i) G C(B). The automaton A accepts w if there exists 
a run a of A on w such that AC (a), where AC is the acceptance condition of Ai- 
The language recognized by A, denoted by C(A), is the set of elements in <S(<S(E)) 
accepted by A. □ 

Given a temporalized automaton A G Ai(A2), we denote by A^ the automaton 
in Ai with the same labeling transition system as A and with the acceptance 
condition of Ai- While A accepts in <S(<S(E)), its abstraction A^ recognizes in 
<S(r(E)). Moreover, given an automaton A G Ai, we denote by A^ the automa- 
ton in A\{A2) with the same labeling transition system as A and with the com- 
bined acceptance condition of -4.1 (^.2)- While A accepts in 5(r(E)), its concretiza- 
tion A^ recognizes in S (5(E)). Taking advantage of these notions, the combined 
acceptance condition for temporalized automata can be rewritten as follows. Let 
w = (N, <,g) G 5(5(E)). A temporalized automaton A accepts w if and only if 
there exists v = (N, <,V) G 5(r(E)) such that v G C(A r ) and, for every i G N, 
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g(i) E C(V(i)). In the following, we will often use this alternative, but equivalent, 
formulation of the combined acceptance condition for tcmporalized automata. 

We now show that relevant logical properties transfer from component automata 
to temporalized ones. The following notation will be used to express the relation- 
ships between automata and temporal logics. We write A — ► T to denote the fact 
that every automaton A in A can be converted into a formula (fA in T such that 
C(A) = M.((Pa), where M(ipa) is the set of models of ipA- Conversely, we write 
T — > A to denote the fact that every formula tp in T can be converted into an 
equivalent automaton in A. Finally, A ^> T stands for A — > T and T — * A. The 
transfer problem for temporalized automata can be stated as follows. Assuming that 
the automata classes A\ and A2 enjoy a given logical property, does A\{A2) enjoy 
that property? We investigate the transfer problem with respect to the following 
properties of automata: 

1. (Effective) closure under Boolean operations (union, intersection, and com- 
plementation): if A\ and A2 are (effectively) closed under Boolean operations, 
is .Ai (.A2) (effectively) closed under Boolean operations? 

2. Decidability: if Ai and A2 are decidable, is Ai(A2) dccidable? 

3. Expressive equivalence with respect to temporal logic: if Ai Ti and A2 ^ 
T 2 , does Ai{A 2 ) ^Ti(Ta)? 

The following lemma plays a crucial role. It shows that every temporalized au- 
tomaton is equivalent to a temporalized automaton whose transitions are labeled 
with automata that form a partition of the set 5(E) of E-labeled sequences. Hence, 
different labels of the 'partitioned automaton' correspond to (automata accepting) 
disjoint sets of E-labeled sequences. Moreover, the partitioned automaton can be 
effectively constructed from the original one. We will see that a similar partition 
lemma holds for temporalized logics (cf. Lemma 2.9 below). 

Lemma 2.6 

(Partition lemma for temporalized automata) 

Let A be a temporalized automaton in A\{A2)- If A2 is closed under Boolean 
operations (union, intersection, and complementation), then there exists a finite 
alphabet T'(E) C A2 and a temporalized automaton A' over T'(E) such that C(A) = 
C(A') and the set {C(X) | X E r'(E)} is a partition of 5(E). Moreover, if A 2 is 
effectively closed under Boolean operations and it is decidable, then A' can be 
effectively computed from A. 

Proof 

To construct F'(E) and A' we proceed as follows. Let A = (Q, go, A, M, ft) be a 
temporalized automaton over T(E) = {X±,...X n } C A2 • For every 1 < i < n 
and j e {0, 1}, let X\ = X t for j = and X\ = 5(E) \ X % for j = 1. Given 

(h,---,j n ) 6 {0,1}™, let Cap , , = (X =1 Xf\ We define r x (E) as the set of 

all and only Cap^,...,^) suc h that (ji, . . . , j n ) E {0, 1}™. Since A2 is closed under 
Boolean operations, r\(E) C A 2 . Moreover, let T 2 (E) = {Ie r x (S) | C(X) ^ 0}. 
We set T'(E) = T 2 (E), and, for 1 < i < n, T' t (E) = {X E r'(E) \ X n X, ^ 0}. 
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Note that {C{X) \ X G L'(E)} is a partition of 5(E). Moreover, for every 1 < 
i < n, {C(X) | X G L'^E)} is a partition of £(Xj). We define the temporalized 
automaton A' = (Q, qo, A', M, f2) over r'(E), where A' contains all and only the 
triples (q 1 ,X,q 2 ) G Q x L'(E) x Q such that X G L' t (E) and (gi,Xi,g 2 ) £ A for 
some 1 < i < n. It is not difficult to see that C(A) = C(A'). □ 

We now prove the first transfer theorem: closure under Boolean operations trans- 
fers from component automata to temporalized ones. 

Theorem 2.1 

(Transfer of closure under Boolean operations) 

Closure under Boolean operations (union, intersection, and complementation) trans- 
fers from component automata to temporalized ones: given two classes A\ and A 2 of 
automata which are (effectively) closed under Boolean operations, the class ^1(^.2) 
of temporalized automata is (effectively) closed under Boolean operations. 

Proof 

Let X,Y e Ai{A 2 ). 

Union We must provide an automaton A G A\(A2) that recognizes the language 
C{X) U C{Y). Define A = (X^ U Y^) L . We show that C(A) = C{X) U C{Y). Let 
x = (N, <,g) G C(A). Hence, there is y = (N, <, V) G C(A^) = C(X^ U Y^) = 
£(XT) U £(F T ) such that, for every i G N, g{i) G C{V{i)). Suppose y G C(X^). It 
follows that x G C(X). Hence x G C(X)l)£(Y). Similarly if y G £(F T ). Conversely, 
suppose that x = (N, <,.g) G £(X) U £(Y). If x G C(X), then there is y = (N, < 
, V) G £(Xl) such that, for every i G N, G C{V{i)). Hence, y G C(X^) U 
£(yT) = £(XT U Ft) = It follows that z G £(A). Similarly if & € C{Y). 

Complementation We must provide an automaton A G Al(-A 2 ) that recognizes 
the language <S(<S(E)) \ C(X). Given Lemma 2.6, we may assume that {C(Z) | Z G 
r(S)} forms a partition of 5(E). We define A = (<S(r(E)) \ X^)J-. We show that 
£(A) = 5(5(E)) \ £(X). Let x = (N, <,#) G C{A). Hence, there exists y = (N,< 
, V) G £(A T ) = 5(r(E))\£(XT) such that, for every i G N, G £(V(i))- Suppose, 
by contradiction, that x G £(^Q. It follows that there exists z — (N, <, V) G jC(X^) 
such that, for every i £ N, g(i) G £(V'(i)). Hence, for every i G N, g(i) G £(V(i)) D 
C(V'(i)). Since, for every i G N, C(V(i)) n £(V(i)) = whenever V(i) 7^ V'(i), we 
conclude that V(i) = V'(i). Hence V = V' and thus y = z. This is a contradiction 
since y and z belong to disjoint sets. It follows that x G <S(«S(E)) \ C(X). 

We now prove the opposite direction. Let x = (N,<,g) G 5(<S(E)) \ It 
follows that, for every y = (N, <, V) G C(X^), there exists i G N such that <?(i) G" 
£(V(i)). Suppose, by contradiction, that x G S(S(E)) \ C(A). It follows that, for 
every z = (N,<, V) G C(A^) = <S(r(E)) \£(XT), there exists i G N such that 3 (i) £ 
£(V(i)). We can conclude that, for every v = (N, <, V) G 5(r(E)), there exists 
i G N such that g(i) £ C{V{i)). This is a contradiction: since {£(Z) \ Z G L(E)} 
forms a partition of 5(E), for every i G N, there is Yi G L(E) such that g(i) G CiYi). 
We have that (N, <, V), with V'(i) = Y t , is an element of 5(T(E)) and, for every 
i G N, gr(i) G £{V'(i)). We conclude that x G £(A). 
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Intersection It follows from closure under union and complementation using 
De Morgan's laws. □ 

It is worth noticing that if A = (I^F 1 ) 1 , then C(A) C C(X)DC(Y), while the 
opposite inclusion C{X) n C(Y) C C(A) does not hold in general. We give a simple 
counterexample. Let L(£) = {B, C}, X' be the automaton accepting sequences 
starting with the symbol B, and be the automaton accepting strings starting 
with the symbol C. Then, C(X^ n Y^) = and hence C(A) = 0. Let S = {a, 6}, 
-B be the automaton accepting sequences with an odd number of symbols a, and 
C be the automaton recognizing sequences with a prime number of symbols a. 
C-{X) n C(Y) contains, for instance, a combined structure starting with a sequence 
with exactly 13 occurrences of symbol a, and hence it is not empty. 

We now focus on the problem of establishing whether decidability transfers from 
component automata to temporalized ones. Given A £ Ai(A2), it is easy to see 
that a sufficient condition for C(A) = is that C(A^) = 0. However, this condition 
is not necessary, since C(A) — may depend on the fact that some ^-automata 
labeling A accept the empty language. However, if we know that A is labeled with 
^-automata recognizing non-empty languages, then the condition C(A^) = is 
both necessary and sufficient for C(A) = 0. In the following theorem, we take 
advantage of these considerations to devise an algorithm that checks emptiness for 
temporalized automata. 

Theorem 2.8 

(Transfer of decidability) 

Decidability transfers from component automata to temporalized ones: given two 
decidablc classes of automata Ai and A2, the class Ai(A2) of temporalized au- 
tomata is decidable. 

Proof 

Let A be a temporalized automaton in Ai(A2)- We describe an algorithm that 
returns 1 if C(A) = and otherwise. 

Step 1 Verify whether £(A T ) = using the algorithm that checks emptiness for 

A\. If C{A^) = 0, then return 1. 
Step 2 For every X £ r(S), if C{X) = (this test can be performed by exploiting 

the algorithm that checks emptiness for A2), then remove every transition of the 

form (gi, X, 52) from the transition relation of A. 
Step 3 Let B be the temporalized automaton obtained from A after Step 2. Check, 

using the emptiness algorithm for Ai, whether C(B') = 0. If C{B*) = 0, then 

return 1, else return 0. 

The algorithm always terminates returning either 1 or 0. We prove that the 
algorithm returns 1 if and only if C(A) = 0. Suppose that the algorithm returns 1. 
If C(Al) = 0, then C(A) = 0. Suppose now that C(A^ ) ^ and = 0. Note 

that C(A) = C(B), since B is obtained from A by cutting off automata accepting the 
empty language. Assume, by contradiction, that there is x £ C(A). Since C(A) = 
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C{B), we have that x € C{B). Hence C{B) in not empty. Since C(B^) = 0, we have 
that C(B) is empty which is a contradiction. Hence C(A) = 0. Suppose now that the 
algorithm returns 0. Then C(B^) contains at least one element, say x = (N, <, V). 
Since B uses only non-empty ^-automata as alphabet symbols, we have that, for 
every i G N, C(V(i)) ^ 0. Hence y = (N, <,g), with g such that, for every i G N, 
g(i) equals to some element of C(V(i)), is an element of £{A). Hence C(A) ^ □ 

Finally, we consider the problem of establishing whether expressive equivalence 
with respect to temporal logics transfers from component automata to temporalized 
ones. We first state a partition lemma for temporalized logics. The proof is similar 
to the one of Lemma 2.6, and thus omitted. 

Lemma 2.9 

(Partition Lemma for temporalized logics) 

Let tp be a temporalized formula of T!(T 2 ) and a.\, . . . , a n be the maximal T 2 - 
formulas of tp. Then, there exists a finite set A of T2-formulas such that: 

1. the set {M{a) a G A} is a partition of (JiLi Al(a»), and 

2. the formula <p' obtained by replacing every T2-formula a, in tp with 
\J{a a G A and M(a) H M{aA ^ 0} is equivalent to tp, i.e., M(tp) = 
M(tp>). 

The following theorem shows that expressive equivalence with respect to temporal 
logics transfers from component automata to temporalized ones. 

Theorem 2.10 

(Transfer of expressive equivalence w.r.t. temporal logic) 

Expressive equivalence w.r.t. temporal logic transfers from component automata 
to temporalized ones: if A\ ^ Ti A2 ^5 T2, and A2 is closed under Boolean 
operations, then Ai(A2) ^ Ti(T2). 

Proof 

We first prove that Ai(A2) — > Ti(T 2 ). Let A G A\(A2) be a temporalized au- 
tomaton over r(E) = {X\, . . . , X n } C _4 2 - We have to find a temporalized formula 
tp A S Ti(T 2 ) such that C(A) = M(tpA)- Since A2 is closed under Boolean opera- 
tions, by exploiting Lemma 2.6, we may assume that {£(Ai), . . . , C(X n )} partitions 
5(E). Since A\ ~ > Ti, there exists a translation ti from „4i-automata to Ti- 
formulas such that, for every X G Ai, C(X) = M(n(X)). Let tp A1 = Ti(A T ). The 
formula tp A -\ uses proposition letters in {Pxi , • ■ ■ , Px n }- Moreover, since A2 — > T 2 , 
there exists a translation 01 from ^-automata to T2-formulas such that, for every 
X G A 2 , C{X) = M(ax{X)). For every 1 < i < n, let ^ = oi(Xj). For every 
proposition letter Px t appearing in tp A t , replace Px f by (^sq in ip A r . Let (/ja be 
the resulting formula. It is immediate to see that tp A G Ti(T2). We prove that 
C(A) = M(tp A ). 

(C) Let a; = (N, <,#) G ^(A). This implies that there exists x T = (N, <,V) G 
5(T(E)) such that x^ G £(AT) and, for every i G N, g(i) G £(V(*)). Since C(A^) = 
M(tp A ^, we have that x^ G A4(<^at)- We prove that, for every i G N and j G 
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{1, . . . , n}, x^ ,i |= Pxj if and only if x, i \= ipxj ■ Let iGN and j £ { 1 , . . . , n}. We 
know that |= Px, if and only if V(i) = Xj. We first prove that V(i) = Xj 
if and only if g(i) G C(Xj). The left to right direction immediately follows since 
€ £(V(i)). We prove the right to left direction by contradiction. Suppose 
g(i) e C(Xj) and = X k ^ X,-. Hence G £(V(i)) = £(X fc ) and thus 

g(i) G £(Xj) n £(Xfc), which is a contradiction, since £(X,) n £(Xfc) = 0. Hence 
V(i) = Xj. Finally, we have that <?(i) G C(Xj) if and only if g(i) G A4((^Xj) if 
and only if x, i \= <fiXf Summing up, we have that G A4(tpAt) and, for every 
i G N and j G {1, . . . ,n}, x^,i |= Px 6 if and only if x, i (= ■■ It follows that 
x G A%a). 

(D) Let a; = (N, <,g) G M(^a)- We define cc T = (N,<,V) G S(I\£)) in such a 
way that, for every i G N, = Xj if and only if g{i) G M(<px s ) = £(Xj). Notice 
that V(i) is always and univocally defined, since {£(Xi ),..., £(X„)} partitions 
<S(S). We prove that, for every z G N and j G {1, . . . , rt}, we have that cc^ , i \= Pxj 
if and only if x, i \= ipx, ■ Let i G N and j G {1, . . . , n}. We know that a;t, i \= Pxj 
if and only if V(i) = Xj. We first prove that V(i) = Xj if and only if g{i) G £(Xj). 
The left to right direction immediately follows by definition of a^.The right to left 
direction follows since £(Xj) n C(Xf.) = whenever k ^ j. Finally, g(i) G £(Xj) 
if and only if g(i) G M.{tpxj) if and only if x, i \= <pxj- Summing up, we have 
that x T G M(ip A r) = C(A^) and, for every i G N, g(i) G M(tpxj) = M(<p v ^) = 
C(V(i)). Therefore, x G C{A). 

We now prove that Ti(T2) — > «4i(«42). Let <p G Ti(T2) be a temporalizcd formula. 
We have to find a temporalizcd automaton A v G A\(A2) such that A^(<p) = C(A lp ). 
Let ai, . . . , a n be the maximal T2-formulas of ip. By exploiting Lemma 2.9, we may 
assume that there exists a finite set A of T2-formulas such that the set {A4(a) | a G 
A} forms a partition of UiLi •M(ai), and every maximal T2-formula on in <p has 
the form \J{a \ a G A and A-f(a) n A* (a*) 7^ 0}. 

Let (pi be the formula obtained from ip by replacing every T2-formula a G A 
appearing in <p with proposition letter P a and by adding to the resulting for- 
mula the conjunct Pp V -^Pp, where ft is the T2-formula _l V"=i Q; i- Let Q = 
{P a I a G A U {ft}} be the set of proposition letters of <py . Since Ti — > *4i, there ex- 
ists a translation T2 from Ti-formulas to _4i-automata such that, for every i/i£Ti, 
M.(ij)) = £(t2(V0)- Let A^t = r 2 (iy9 T ). The automaton A^t labels its transitions 
with symbols in 2^. Moreover, since T2 — > .A2, there exists a translation 02 from 
T2-formulas to ^-automata such that, for every ip G T2, A4(ip) = £(02 (VO)- For 
every a G A U {/?}, let A a = (72(a). Finally, let A v be the automaton obtained 
by replacing every label X C Q on a transition of A^ with the ^4 2 -automaton 

r\p a ex A a = a 2(Ap a ex a )- Wc havc that A v e M{A 2 ) and C{A V ) = M(<p). The 
proof is similar to the case C(A) = M(<^a)- Notice that to prove this direction wc 
did not use the hypothesis of closure under Boolean operations of A2 ■ □ 

The following corollary shows that, whenever Ti — > Ai and T2 — > A2, the 
decidability problem for T!(T 2 ) can be reduced to the decidability problems for 
Ai and Ai. 



Temporalized logics and automata for time granularity 



19 



Corollary 2.11 

If Ti — >• A\, T 2 — > A2, and both Ai and ^2 are dccidablc, then Ti(T 2 ) is decid- 
able. 

Theorems 2.7, 2.8 and 2.10 hold for automata that operate on finite sequences 
as well; moreover, they can be immediately generalized to automata on finite and 
infinite trees (definitions of all these classes of automata can be found in (Thomas 
1990)). They remain valid for automata on temporalized structures that mix se- 
quences and trees. 

Corollary 2.11 allows one to prove the decidability of many temporalized log- 
ics. For instance, it is well-known that QLTL (and all its fragments) over infinite 
sequences can be embedded into Biichi sequence automata, QCTL£ (and all its frag- 
ments) over infinite fc-ary trees can be embedded into Rabin fc-ary tree automata, 
and both Biichi sequence and Rabin fc-ary tree automata are decidable. Moreover, 
QLTL (and all its fragments) over finite sequences can be embedded into finite 
sequence automata, QCTL£ (and all its fragments) over finite fc-ary trees can be 
embedded into finite /c-ary tree automata, and both finite sequence and finite fc-ary 
tree automata are decidable. From Corollary 2.11, it follows that any temporalized 
logic Ti(T 2 ), where Ti and T 2 are (fragments of) QLTL or QCTL£, interpreted 
over either finite or infinite sequence or tree structures, are decidable. As a matter 
of fact, the decidability of PLTL(PLTL) over infinite sequences of infinite sequences 
was already proved in (Finger and Gabbay 1992) following a different approach. 

3 Temporalized logics and automata for time granularity 

In the following, we use temporalized automata to find the (combined) temporal 
logic counterparts of the monadic second-order theories of downward and upward 
layered structures. Both results rest on an alternative view of DULSs and UULSs 
as infinite sequences of fc-ary trees of a suitable form. More precisely, DULSs can be 
viewed as infinite sequences of infinite fc-ary trees, while UULSs can be interpreted 
as infinite sequences of finite increasing fc-ary trees. In Section 3.1 we provide the 
monadic second-order theory of DULSs with an expressively complete and elemen- 
tarily decidable temporalized logic counterpart by exploiting a temporalization of 
Biichi and Rabin automata. Then, in Section 3.2, we define a suitable combina- 
tion of Biichi and finite tree automata and use it to obtain a combined temporal 
logic which is both elementarily decidable and expressively complete with respect 
to the monadic second-order theory of UULSs. It is worth remarking that, unlike 
the case of DULSs, the combined model we use to encode an UULS differs from 
that of temporalization since the innermost submodels are not independent from 
the outermost top-level model. 

The monadic second-order language for time granularity MSO-p[<, (i»)*=o] is 
defined as follows. 

Definition 3.1 

(Monadic second-order language) 

Let MSO-p[<, (lOto] b e the second-order language with equality built up as fol- 
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lows: (i) atomic formulas are of the forms x = y, x < y, J,,; (x) = y, x £ X and 
x G P, where < i < k — 1, x, y are individual variables, X is a set variable, and 
P 6 P; (ii) formulas are built up starting from atomic formulas by means of the 
Boolean connectives -i and A, and the quantifier 3 ranging over both individual 
and set variables. □ 

We interpret MSO P [<, (Lj)fco] over DULSs and UULSs. For all i > 0, let T % = 
{.h I j > 0}. A P-labeled fc-refinable DULS is a tuple (\J t > T\ CU)*L \ <, (P)p e v)- 
Part of a 2-refinable DULS is depicted in Figure 2. A DULS can be viewed as an 
infinite sequence of complete fc-ary infinite trees, each one rooted at a point of T°. 
The sets in {T 1 }i>q are the layers of the trees, ii is a projection function such that 
li (ab) = Cd if and only if d = b + 1 and c = a ■ k + i, with i = 0, . . . , k — 1, < 
is a total ordering over {J i>0 T l given by the preorder (root-left-right) visit of the 
nodes (for elements belonging to the same tree) and by the total linear ordering of 
trees (for elements belonging to different trees), and, for all P G V, P is the set of 
points in Ui>o T l labeled with letter P. A 'P-labeled fc-refinable UULS is a tuple 
(U>o r? > (Wfco: <= ( p )pev)- Part of a 2-rcfinablc UULS is depicted in Figure 3. 
An UULS can be viewed as a fc-ary infinite tree generated from the leaves. The 
sets in {T l }i>o represent the layers of the tree, [i is a projection function such 
that ii (ao) = -L, for all a, and J,j (at,) = Cd if and only if 6 > 0, b = d + 1 and 
c = a ■ k + i, with i = 0, . . . , k — 1, < is the total ordering of lj i>0 T l given by 
the inorder (left-root-right) visit of the nodes, and, for all P G V, P is the set of 
points in [J i>Q T l labeled with letter P. Given a formula ip G MSO-p[<, Q.t)*=o ]j we 
denote by A4((p) the set of models of ip. 

For technical reasons, it is convenient to work with a different, but equivalent, 
monadic second-order logic over DULSs that replaces the total ordering < by two 
partial orderings <i and <2 defined as follows. Let t be a DULS. According to the 
interpretation of DULSs as tree sequences, we define x <i y if and only if x is the 
root of some tree ti of t, y is the root of some tree tj of t, and i < j over natural 
numbers. Moreover, x <2 y if and only if y is different from x and y belongs to 
the tree rooted at x. In a similar way, it is convenient to work with a different, but 
equivalent, monadic second-order logic over UULSs that replaces the total ordering 
< with a partial ordering < pre such that x < pre y if and only if y is different from 
x and y belongs to the tree rooted at x. 

3.1 Downward unbounded layered structures 

We start with a formalization of the alternative characterization of DULSs as suit- 
able tree sequences given above. Let Tk(V) be the set of "P-labclcd infinite /c-ary 
trees. Let S(Tk(V)) be the set of infinite sequences of "P-labclcd infinite fc-ary trees, 
that is, tcmporalizcd models (N, <,<?) where g : N — > Tk(V). "P-labclcd DULSs 
correspond to tree sequences in S(Tk{V)), and vice versa. On the one hand, V- 
labeled DULS t can be viewed as an infinite sequence of "P-labclcd infinite /c-ary 
trees, whose i-th tree, denoted by ti, is the 'P-labcled tree rooted at the i-th point io 
of the coarsest domain T° of t (cf. Figure 5) . Such a sequence can be represented as 
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the temporalized model (N, <,<?) G S(Tk(V)) such that, for every i 6 N, g(i) = tj. 
On the other hand, it is immediate to reinterpret infinite sequences of P-labeled 
infinite fc-ary trees in terms of T^-labeled DULSs. 

Such a correspondence between DULSs and temporalized models enables us to 
use temporalized logics Ti (T2), where Ti is a linear time logic and T2 is a branch- 
ing time logic, to express properties of DULSs. Furthermore, taking advantage of 
the correspondence between temporalized logic and automata, we can equivalcntly 
use temporalized automata Ai(Az) over DULSs, where A\ is a class of sequence 
automata and Ai is a class of tree automata. In the following, we will focus on 
the class B(lZk) of temporalized automata embedding Rabin fc-ary tree automata 
into Biichi sequence automata. We call automata in this class infinite tree sequence 
automata. Since both B and IZk are effectively closed under Boolean operations 
and decidable, Theorems 2.7 and 2.8 allow us to conclude that the class B(1Zk) 
of infinite tree sequence automata is effectively closed under Boolean operations 
and decidable as well. The complexity of the emptiness problem for infinite tree 
sequence automata is given by the following theorem. 

Theorem 3.2 

(Complexity of infinite tree sequence automata) 

The emptiness problem for infinite tree sequence automata is decidable in polyno- 
mial time in the number of states, and exponential time in the number of accepting 
pairs. 

Proof 

For any given A <E B(lZk), let n be the number of states of A and N (resp. M) be 
the maximum number of states (resp. accepting pairs) of a Rabin tree automaton 
labeling transitions in A. The emptiness of Biichi sequence automata can be checked 
in polynomial time in the number of states, while the emptiness of Rabin tree au- 
tomata can be verified in polynomial time in the number of states, and exponential 
time in the number of accepting pairs. By applying the algorithm used to test the 
emptiness of temporalized automata in the proof of Theorem 2.8, we have that the 
complexity of checking whether A accepts the empty language is polynomial in n 
and N , and exponential in M. □ 

The following theorem relates infinite tree sequence automata to the monadic 
second-order theory of DULSs. 
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Theorem 3.3 

(Expressiveness of infinite tree sequence automata) 

Infinite tree sequence automata are as expressive as the monadic second-order the- 
ory of DULSs. 

Proof 

The proof can be accomplished following a proof strategy that closely resembles 
those adopted to prove classical results in the field, such as, for instance, the proof 
of Buchi's Theorem (cf. (Thomas 1990)). We split it in two parts: 

(a) we first show that, for every automaton A 6 B(lZk) over r(E), there exists 
a formula tp A G MSOp s [<i, < 2 , (ii)to] over = {P a a G E} such that 
C(A) = M^a); 

(b) then, we show that, for every formula (p G MSOp [<i, <2, (|i)j = o ] over V, there 
exists an automaton A v G B{TZu) over some T{2 V ) such that M(<p) = £(^4^,). 

We first introduce some auxiliary predicates that can be easily defined in the 
monadic second-order logic over DULSs. Let +1 be a binary predicate such that 
+1(2, y) if and only if x and y belong to the coarsest domain and y is the immediate 
successor of x. We will write x + 1 G X for 3y(+l(x,y) A y G X). Moreover, let 
T°(x) be a shorthand for "x belongs to the coarsest domain" , 0o G X be a shorthand 
for "the first element of the coarsest domain belongs to X" , and Path(X, x) be a 
shorthand for the formula stating that "X is a path rooted at x" . 

Let us prove part (a) for fc = 2. The generalization to k > 2 is straightforward. Let 
A = (Q, qo, A, F) be a i3(7?-2)-automaton over T(E) (finite subset of IZ2) accepting 
tree sequences in S(T 2 (T,)). We produce a sentence (p A G MSO-p E [<i, <2, |o, li], 
that involves monadic predicates in Vt, = {Pa | Q> G £} and is interpreted over 
<S(T 2 (E)), such that C{A) = M(<pa)- We assume Q = {0, . . .to} and q = 0. For 
every Z G F(S), let Z = {Qz,q Q z , A z , F z ) over E, with Q z = {0, . . . to z }, g° = 0, 
and T z = {(Lf,Uf) I l<i<r z }. 

The MSO-pj, [<i, <2, 101 |i]-sentence </3a that corresponds to the automaton A 
basically encodes the combined acceptance condition for i3(7?. 2 )-automata. The out- 
ermost part of the sentence expresses the existence of an accepting run over the 
coarsest layer of the tree sequence for the Biichi sequence automaton A' . For all 
i G Q, the second-order variable X, denotes the set of positions of the run which 
are associated with the state i, while, for all Z G r(E) the monadic predicate Qz 
denotes the set of positions of the run that are labeled with the Rabin tree au- 
tomaton Z. The innermost part RAC(x, Z) captures the existence of an accepting 
run over the tree rooted at x for the Rabin tree automaton Z. For i G Qz, the 
second-order variable Yi denotes the set of positions of the run that are associated 
with state i. The sentence ipA is defined as follows: 

(3Qz)z e r (S) (3X 4 )™ (Ar=oVx(xGX l -> T°(i))A 

Az e r(s) £Qz -> T°(aO) A G X A fi^. ^3y{y G X % Aye Xj) A 
Vx(T°(x) -» \/ {iiZ!j)£A (x G X, A x e Qz A x + 1 G Xj)) A 
V 4eF V.t(T°(.t) A 3y(T°(y) A x <i y A y £ X,)) A 
Az e r(s) Va;(x G Qz -> RAC(x,Z)), 
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where RAC(x, Z) stands for: 

m)Z z (AT= z oMy e Yi - i < 2 y) a x G y a A^- e y 4 a » e 15) a 

Vy(z < 2 y -h. V (i , aj - ,, l)eAz (2/ e A y G P a A jo (2/) e Y jo A |! (y) G Y^)) A 
VIY(Path(FY, x) -> \J r il (/\ jeL z 3u(u eW A Vw(w G VF A u < 2 u -> u £ Yj)) A 
Vjet/z G W -> elf Au< 2 «Ai)6 Y,))))). 

We now prove part (b). Let "P = {Pi,...P„}. To simplify things, we prove 
our result for the theory MSO-p[<i, < 2 , (U)i=o, +1] which can be easily shown 
to be equivalent to MSO-p[<i, < 2 , (|i)i=o]- Given a formula 93 G MSO-p[<i, < 2 , (ji 
)i=o j that involves monadic predicates in V and is interpreted over P-labeled 
tree sequences in S(%.(V)), we build an automaton A v G B(lZk) over some T(2 7: ') 
and accepting in S{Tk{V)) such that = A^(yj). 

As a first step, we show that the ordering relations <i and < 2 can actually be 
removed without reducing the expressiveness. We replace x <i y by 

T°(x) A T°(</) A VX(x + leX A Vz(z 6l ^ zllel) ^ |/e X)), 

and x <2 y by 

fe-l fe-i 
VX(/\ (<c) G X A Vz(z el^ f\ U(z)eX) ^ yeX). 

i=0 i=0 

Hence, MSO P [<i, < 2 , (ji)^ 1 , +1] is as expressive as MSO^!;)^ Ncxt , 
we introduce an expressively equivalent variant of MSOtj[(Lj)£Tq , +1], denoted by 
MSO[Qt)i=0) +-^]' w hich uses f ree se t variables Xi in place of predicate symbols Pi 
and is interpreted over {0, l} ra -labeled tree sequences in S(Tk ({0, 1}™)). The idea is 
to encode a set X C V with the string i\ . . . i n G {0, 1}" such that, for j = 1, . . . , n, 
ij = 1 if and only if Pj G X. We now reduce MSOfQj)^ 1 , +1] to a simpler for- 
malism MSOo[(4i)^To, +1], where only second-order variables Xi occur and atomic 
formulas arc of the forms Xi C Xj (Xi is a subset of Xj), Proj m (X, X,), with 
m = 0, . . . , k — 1 and Xj are the singletons {x} and {y}, respectively, and 
im ( x ) = 2/): an d Succ(Xj,Xj) (Xi and are the singletons {x} and {j/}, respec- 
tively, and x + 1 = y). This step is performed as in the proof of Biichi's Theorem. 
Finally, given a MSOo[(-U)k.T , +l]-formula <p(Xi, . . . , X n ), we prove, by induction 
on the structural complexity of tp, that there exists a temporalized automaton A v 
accepting in S(Tk({0, 1}")) such that M.(f) = C(A lp ). A corresponding automaton 
accepting in S(Tk(V)) can be obtained in the obvious way. As for atomic formulas, 
let cti.j be the Rabin tree automaton over {0, 1}" for Xi C Xj. The temporalized 
automaton for X, C Xj is depicted in Figure 6 (top). Moreover, let £ be the Ra- 
bin tree automaton over {0, 1}™ that accepts the singleton set containing a tree 
labeled with 0™ everywhere, and let a™ be the Rabin tree automaton over {0, l} ra 
for Proj m (Xj, Xj). The temporalized automaton for Proj TO (Xi, Xj) is depicted in 
Figure 6 (middle). Finally, let cti be the Rabin tree automaton over {0, l} ra that 
accepts the singleton set containing a tree labeled with I_1 10 n_l at the root, and 
labeled with 0" elsewhere. The combined automaton for Succ(Xs, Xj) is depicted 
in Figure 6 (bottom). The induction step immediately follows from the closure of 
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Fig. 6. Temporalized automata for atomic formulas. 



B(lZk) automata under Boolean operations and projection. Closure under Boolean 
operations has been already shown; closure under projection can be argued as fol- 
lows: given a 2?(7?.fc)-automaton A, the corresponding projected 6(7^fe)-automaton 
is obtained by simply projecting every Rabin automaton that labels some transition 



We can exploit infinite tree sequence automata to provide the (full) second-order 
theory of DULSs with an expressively complete and elementarily decidablc temporal 
logic counterpart. First of all, it is well-known that B ^ QLTL and B ^ EQLTL, 
as well as TZ k ^ QCTLJJ and K k ^ EQCTL£ (Emerson 1990). Since Rabin tree 
automata are closed under Boolean operations, Theorem 2.10 allows us to conclude 
that both QLTL(QCTL£) <=> B{K k ) and EQLTL(EQCTLJJ) B(TZ k ) 3 . By apply- 
ing Theorem 3.3, we have that both QLTL(QCTL^) ^ MSOp[<i, < 2 , (lOtol and 
EQLTL(EQCTL^) <=> MSOp[<i, < 2 , (U)^]- Such a result is summarized by the 
following theorem. 

Theorem 3.4 

(Expressiveness of QLTL(QCTL^) and EQLTL(EQCTLjJ)) 

QLTL(QCTL£) and EQLTL(EQCTL^) are as expressive as MSO P [<i, < 2 , (Wtol, 
when interpreted over DULSs. 

Furthermore, since MSOp[<i, < 2 , (li)to 1 ] is decidable, both QLTL(QCTL^) and 
EQLTL(EQCTL£) are decidable. The next theorem shows that EQLTL(EQCTL^) 
is elementarily decidable. 

3 It is worth pointing out that the application of the partition step of Theorem 2.10 to temporal 
formulas in EQCTLJ generates formulas of the form SQi ■ ■ ■ 3Q n ip, where ip is a CTLjJ-formula, 
which do not belong to the language of EQCTLJ, because such a language is not closed under 
negation. Nevertheless, formulas of the form ~^3Q\ . . . 3Q n ip can be embedded into Rabin tree 
automata as well. The Rabin tree automaton for ^3Qi . . . 3Q n ip can indeed be obtained by 
taking the complementation of the projection, with respect to Qi, . . . Q n , of the Rabin tree 
automaton for (p. 



of A. □ 
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Theorem 3.5 

(Complexity of EQLTL(EQCTL^)) 

The satisfiability problem for EQLTL(EQCTL^) over DULSs is in ELEMENTARY. 
Proof 

EQLTL(EQCTL^) can be decided by embedding it into B(lZk) automata (such 
an embedding can be accomplished following the approach outlined in the proof 
of Theorem 2.10). EQLTL can be elementarily embedded into Biichi sequence au- 
tomata. Indeed, given an EQLTL-formula 3Qi • • • 3Q n (p, the PLTL-formula ip can 
be converted into a Biichi sequence automaton A v of size 0(2'^'). A Biichi sequence 
automaton for 3Qi . . . 3Q n ip can be obtained by taking the projection of A v with 
respect to letters Qi, . . . , Q n , that is, by deleting letters Qi, . . . , Q n from the tran- 
sitions of A v . The size of the resulting automaton is 0(2> v >). Similarly, EQCTLjJ 
formulas can be embedded into Rabin tree automata with a doubly exponential 
number of states and a singly exponential number of accepting pairs in the length 
of the formula. In particular, as already pointed out, a Rabin tree automaton for 
formulas of the form ->3Qi . . . 3Q n <p, which are generated by applying the partition 
step of Theorem 2.10 to EQCTL£ formulas, can be obtained by taking the comple- 
mentation of the projection, with respect to Qi, . . . Q n , of the Rabin tree automaton 
for ip. The resulting automaton has elementary size. Hence, any EQLTL(EQCTLjJ) 
formula can be converted into an equivalent B(lZk) automaton of elementary size. 
Since B(Rk) automata are elementarily decidable, we have the thesis. □ 

We conclude the section by giving some examples of meaningful timing properties 
that can be expressed in (fragments of) EQLTL(EQCTLj^) interpreted over DULSs. 
As a first example, consider the property 'P densely holds at some node a;' meaning 
that there exists a path rooted at x such that P holds at each node of the path 
(notice that such a property implies that, for every i > 0, there exists y ej.* (x) 
such that P holds at y, where, for i > 0, J, 4 (x) is the i-th layer of the tree rooted 
at x, but not vice versa). This property can be expressed in PLTL(CTLjJ) by the 
formula: 

OEFEGP. 

As another example, the property l P holds at the origin of every layer' (or, cquiv- 
alently, 'P holds along the leftmost path of the first tree of the sequence') can be 
expressed in PLTL(CTL£) as follows: 

E(P A GX P). 

As a third example, the property 'P holds everywhere on every even tree' can be 
encoded in EQLTL(CTL^) as follows: 

3Q{Q a O-Q a a(Q <-> o O Q) a n(Q -> AGP)). 

Notice that such a property cannot be expressed in PLTL(CTL^), since, as it is well- 
known, PLTL cannot express the property 'P holds on every even point' (Wolper 
1983). As a last example, the property 'P holds everywhere on every even layer' 
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Fig. 7. Mapping an UULS into an increasing tree sequence. 

can be encoded in PLTL(EQCTL^) as follows: 

□ 3Q(Q A AX^Q A AG(Q <-> AXAXQ) A AG(Q -> P)). 

Notice that also this property cannot be expressed in PLTL(CTL£). 

Unfortunately, things are not always that easy. As an example, the property 
'P holds at exactly one node' can be easily encoded in (the first-order fragment 
of) MSO P [<i, < 2 ,(|i)to 1 ] b y thc formula: 3x{x e P A Vy(y ^ x -» y £ P)), 
while it is not easy at all to express it in EQLTL(EQCTL£). Moreover, since 
MSO-p[<i, < 2 , (li)to 1 ] is nonelementarily decidable, while EQLTL(EQCTL^) is el- 
ementarily decidable, the translation r of MSO-p[<i, <2, (l»)i=o] formulas into 
EQLTL(EQCTL£) formulas is nonelementary. This means that, for every n € N, 
there exists an MSOp[<i, <2, (U)^ ]-formula ip such that the length of r{tp) is 
greater than k(ti, \ip\) (an exponential tower of height n). 



3.2 Upward unbounded layered structures 

We start by giving an alternative characterization of UULSs in terms of tree se- 
quences. To this end, we need to introduce the notions of almost fc-ary tree and of 
increasing tree sequence. An almost k-ary finite tree is a complete finite tree whose 
root has exactly k — 1 sons 0, . . . , k — 2, each of them is the root of a complete finite 
fc-ary tree. Let Wfe(P) be the set of P-labeled almost /c-ary finite trees. A P-labeled 
increasing k-ary tree sequence (ITS, for short) is a tree sequence such that, for every 
i € N, the i-th tree of the sequence is a P-labcled almost fc-ary tree of height i (cf. 
Figure 7). A P-labeled ITS can be represented as a temporalized model (N, <,g) 
such that, for every i € N, g(i) is the i-th tree of the sequence. Let ITSk(V) be the 
set of P-labelcd fc-ary ITSs. It is worth noting that ITSk(V) is not the class Hk(P 
of temporalized models embedding almost fc-ary finite trees into infinite sequences: 
an increasing tree sequence is a particular sequence of almost fc-ary finite trees, 
but a sequence of almost fc-ary finite trees is not necessary increasing, and thus 
ITS k {V)CS(H k {V)). 

It is not difficult to show that a P-labeled UULS corresponds to a P-labeled 
ITS, and vice versa. As already pointed out, an UULS can be viewed as an infinite 
complete fc-ary tree generated from the leaves. The corresponding tree sequence 
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can be obtained starting from the first point of the finest layer of the UULS and 
climbing up along the leftmost path of the structure. The i-th tree in the sequence 
is obtained by taking the tree rooted at the i-th point of the leftmost path, and by 
deleting from it the subtree rooted at the leftmost son of its root. More precisely, let 
t be a /e-ary UULS. For every node x in t, we define t x to be the finite complete k- 
ary tree rooted at x. For every i > 0, let to i be the almost fc-ary finite tree obtained 
from to i by deleting, whenever i > 0, the subtree to i l from it. The ITS (N, <, g) 
associated with the UULS t is obtained by defining, for every i > 0, g{i) = io s . The 
embedding of a binary UULS into a binary ITS is depicted in Figure 7. Similarly, 
ITSs can be reinterpreted in terms of UULSs. 

On the basis of such a correspondence between UULSs and ITSs, we can use 
temporalized logics Ti(T 2 ), where Ti is a linear time logic and T 2 is a branching 
time logic, to express properties of UULSs. More precisely, we interpret Ti(T 2 ) 
over S{T-Lk{V)) 1 but, since we are interested in increasing tree sequences, we study 
the logical properties of Ti (T 2 ) , such as expressiveness and decidability, with re- 
spect to the proper subset ITSk(P). Temporalized automata -4i(.4 2 ) over UULSs 
can be defined in a similar way. Once again, we consider automata in .4i(.4 2 ) ac- 
cepting in <S(?ifc(E)), but, since we are interested in increasing tree sequences, we 
study the relevant properties of -4i(-4 2 ), such as closure under Boolean operations, 
expressiveness, and decidability, with respect to the proper subset ITSk{^). In the 
following, we will focus on the class B(Ck) of temporalized automata embedding 
almost fc-ary finite tree automata into Biichi sequence automata. We call automata 
in B{Ck) finite tree sequence automata. 

Since both B and are effectively closed under Boolean operations and decid- 
ablc, Theorems 2.7 and 2.8 allows us to conclude that B(Ck) is effectively closed 
under Boolean operations and decidable. We show that S(Cfc)-automata are closed 
under Boolean operations over the set ITSk(E) as well. Let A, B £ B{Ck). We show 
that: 

• there exists C £ B(Ck) such that 

C{C) n ITSkiY.) = ITS k {T) \ C{A) {complementation)] 

• there exists C £ B(Ck) such that 

C{C) n ITS k (£) = (C(A) U C(B)) n ITS k {Z) {union); 

• there exists C £ B{Ct) such that 

C{C) n ITS k (2) = (£{A) n C{B)) n ITS k (S) {intersection). 

As it can be easily checked, it suffices to set C = A in case of complementation, 
C = A U B in the case of union, and C = A n B in the case of intersection. 

The following theorem relates finite tree sequence automata to the monadic 
second-order theory of UULSs. 
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(Expressiveness of finite tree sequence automata) 

Finite tree sequence automata are as expressive as the monadic second-order theory 
of UULSs. 

Proof 

The proof is quite similar to that of Theorem 3.3, and thus we only sketch its main 
steps. We split the proof in two parts: 

(a) we first show that, for every automaton A E B(C k ) over r(E), there exists 
a formula ip A E MSOp s [<, (U)^} over Vt, = {Pa \ a E £} such that C(A) n 
JTS fc (E) = M(<pa); 

(b) then we show that, for every formula tp E MSO-p[<, (I^vTq 1 ], there exists an 
automaton A v E B(C k ) over some T(2 V ) such that M(<p) = C{A V ) n ITS k (V). 

The embedding of automata into formulas is performed by encoding the com- 
bined acceptance condition for ,8(Cfc)-automata into MSO-p[<, (4i)i=o]- The Biichi 
acceptance condition have to be implemented over the leftmost path of the struc- 
ture, and the finite tree automata acceptance condition have to be constrained to 
hold over almost fc-ary trees rooted at nodes in the leftmost path of the structure. 
The embedding of formulas into automata takes advantage of the closure properties 
of Z?(Cfc)-automata over UULSs. □ 

We can exploit finite tree sequence automata to provide the (full) second-order 
theory of UULSs with an expressively complete temporal logic counterpart. We 
know that B QLTL and B EQLTL, and that C k QCTLJ! and C k 
EQCTL£. Since almost fc-ary finite tree automata are closed under Boolean oper- 
ations, Theorem 2.10 allows us to conclude that that QLTL(QCTL^) ^ B(C k ) 
and EQLTL(EQCTL£) ^ B(C k ) over infinite sequences of almost fc-ary finite 
trees. Since increasing fc-ary tree sequences are infinite sequences of almost fc-ary 
trees, the above equivalences hold over increasing fc-ary tree sequences as well. 
From Theorem 3.6, we have that QLTL(QCTL£) ^ MSO P [< pre , (Wtol and 
EQLTL(EQCTL^) <=> MSO P [< pre , (l,)^}. Such a result is summarized by the 
following theorem. 

Theorem 3.7 

(Expressiveness of QLTL(QCTL^) and EQLTL(EQCTL^)) 

QLTL(QCTLk) and EQLTL(EQCTL^) are as expressive as MSO v [< pre , (|i)to], 
when interpreted over UULSs. 

The (nonclcmcntary) decidability of QLTL(QCTL^) and EQLTL(EQCTL^) im- 
mediately follows from that of MSOp[< pre , (ji)*^ 1 ] over UULSs. A natural ques- 
tion arises at this point: is EQLTL(EQCTL£) elementary decidable as in the case of 
DULSs? In order to answer this question, we study the decidability and complexity 
of the emptiness problem for finite tree sequence automata over increasing fc-ary 
tree sequences. Such a problem can be formulated as follows: given an automaton 
A E B(C k ), is there an increasing fc-ary tree sequence accepted by Al (Equivalently, 
does C{A) (~1 /TS'jfe(E) ^ 0?) The (nonelementary) decidability of such a problem 
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immediately follows from Theorem 3.6, since, given an automaton A, we can build 
an equivalent monadic formula tpA and check its satisfiability over UULSs. In the 
following, we give a necessary and sufficient condition that solves the problem in 
elementary time. 

Let A = (Q, q , A, F) be an automaton in B(Ck) over the alphabet r(S) (finite 
subset of C fc ). Clearly, C(A) ^ is necessary for C(A) n ITS k (E) ^ 0. However, 
it is not sufficient. By definition of combined acceptance condition for A, we have 
that C(A) ^ if and only if there is a finite sequence <7o> 9i> ■ ■ ■ Qm of distinct states 
in Q, a finite sequence Xq, Xi, . . . X m of C^-automata and j 6 {0, . . . m} such that: 

1. A(qi,Xi,q i+ i), for every i = 0,...m-l, and A(q m , X m , qj); 

2. Qj e F; 

3. C{Xi) ^ 0, for every i = 0, . . .m 

To obtain a necessary and sufficient condition for C(A) (~l ITSk(E) ^ 0, we have 
to strengthen condition (3) as follows. Let T^(S) be the set of almost fc-ary finite 
trees of height i: 

3'. (3'a) £(Xj)nTi(£) ^ 0, for every i = 0, .. and (3'b) C{Xi) nT^ +y ' z (S) ^ 

0, for every i = j, . . .m and ?/ > 0, where Z = m — j + 1. 

The conjunction of conditions (1,2,3') is a necessary and sufficient condition for 
C{A) fl ITSk(E) 7^ 0- We show that conditions (1,2,3') are elementarily decidable. 
Clearly, there are elementarily many runs in A satisfying conditions (1,2). The 
following nontrivial Lemma 3.8 shows that condition 3' is elementarily decidable. 

Lemma 3.8 

Let X be a almost fc-ary finite tree automaton, and a, I > 0. Then, the problem 
C(X) n T£ +v4 (E) ^ 0, for every y > 0, is elementarily decidable. 

Proof 

Let X = (<3, qo,A,F) over r(E). If Z = 0, then the problem reduces to checking 
C(X) n T^(S) ^ 0, for some a > 0. For every a > 0, the set T% is finite and 
hence regular. Since almost /c-ary finite tree automata are elementarily closed under 
Boolean operations and elementarily decidable, we conclude that in this case the 
condition is elementarily effective. 

Suppose now I > 0. For the sake of simplicity, we first give the proof for finite 
sequence automata, and then we discuss how to modify it to cope with the case of 
almost /c-ary finite tree automata. Hence, let X be a finite sequence automaton. We 
have to give an elementarily effective procedure that checks whether X recognizes 
at least one sequence of length a, at least one of length a + Z, at least one of length 
a + 21, and so on. Without loss of generality, we may assume that the set of final 
states of X is the singleton containing € Q. Hence, the problem reduces to 
check, for every y > 0, the existence of a path from qo to qfi n of length a + y ■ I in 
the state-transition graph associated with X. We thus need to solve the following 
problem of Graph Theory, which we call the Periodic Path Problem (PPP for short): 
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Given a finite directed graph G = (N,E), two nodes qi,q2 £ N, and two natural 
numbers a, I > 0, the question is: for every y > 0, is there a path in G from gi to 52 of 
length a + y ■ If 

In the following, we further reduce the PPP to a problem of Number Theory. Let 
H qi ,q 2 (G) be the set of paths from qi to (72 in the graph G. Given n e II 9li92 (G), we 
denote by ir 1 ^ the path obtained by eliminating cyclic subpaths from it. That is, if ir 
is acyclic, then ir = 71". Else, if ir — aq'[3q'-f, then 7r° = a Q q'^i Q . Let ~ gi , 92 be the 
relation on n gii92 (G) such that tt\ ~ 9l .g 2 ^2 if and only if 7^ = 7r^. Note that ~ 9l ,g 2 
is an equivalence relation of finite index. For every equivalence class [t]^ , we 
need a formula expressing the length of a generic path in the class. Note that every 
path in [7r]~ 92 differs from any other path in the same class only for the presence 
of some cyclic subpaths. More precisely, let /i be the shortest path in [7r]^ g2 , let 
Gi, . . . G„ be the cycles intersecting tt, and let wi, . . . w n be their respective lengths. 
Note that /i does not cycle through any Ci. Every path in [V]^ q2 starts from g 1; 
cycles an arbitrary number of times (possibly zero) through every Gi, and reaches 
q2- It is easy to see that the length of an arbitrary path a S [ 7r ]~, 1 „ is given by 
the parametric formula: 

n 

M = I A* I + ^ X i ' W ii 
1=1 

where Xi > in the number of times the path a cycles through Ci. 
Let [7Ti]^ (Ji , . . . , [7r m ]^ 52 be the equivalence classes of r ^q 1 ,q 2 - For every j = 
1, . . . m, let [ij be the shortest path in [7tj]^ 9 , let C[,... C J n be the the cycles 
intersecting nj, and let w{, . . . be their respective lengths. Moreover, let 

n 

Yj = {y > I 3xi, ...x n >0 (\nj\ + ^ x t ■ w{ = a + y ■ I)}. 

i—l 

The PPP reduces to the following problem of Number Theory: 

Do the sets Yi, . . . Y m cover the natural numbers? That is, does UJLi ~ N? 

We now solve the latter problem. Let Wi > 0, for i = 1, . . . n. We are interested 
in the form of the set S = {^"=1 x % ' w i I x i — 0}- Let W = (wi, . . . w n ) and let 
d = GCD(W) (the greatest common divisor of {w±, . . . ,w n }). We distinguish the 
cases d = 1 and d 7^ 1. If d = 1, then it is easy to see that: 

S = EU{j \j>k}, 

where E is a finite set of exceptions such that max(E) < k, and k = (w r — 1) • 
(w s — 1), with w r = min(W) (the minimum of {wi, . . . w n }) and w s = min(W \ 
w r ). H d ^ 1, then consider the set S' = {Yl7=i Xi ' w i/d \ %i > 0}. Clearly 
GCD(wi/d 7 . . .w n /d) = 1 and hence, as above, S' — E' U {j \ j > k'} for some 
finite set E' and some k' G N. Therefore, in this case, 

S = E' ■ d U {j I j > k' ■ d A d DIV j}, 

where d DIV j means that d is a divisor of j. 
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Summing up, in any case, the set S can be described as follows: 

S = EU{k+j-d | j gN}, 

for some finite (computable) set E, some (computable) k G N, and d = GCD(W). 
In other words, the set S is the union of a finite and computable set of exceptions 
and an arithmetic progression. 

Now we consider the equation Xj ■ Wi = y • I. Our aim is to describe the 

set Y = {y > | 3x%, . . .x n > (Y]^_-, Xj ■ Wi = y ■ I)} in a similar way. Let 
e = GCD(d, I), I = V ■ e and d = d' ■ e. We have that: 

y EY iff 

y ■ I £ S iff 

yl € E V y - l>k A d DIV y • 1 iff 

yl e E V y> \k/V\ A d' ■ e DIV y • l' • e iff 
y-leE V y> \k/V\ A <f DIV y 

Therefore, the set Y is the union of a finite and computable set and an arithmetic 
progression, i.e., 

y = £' U {k 1 + j-d' | j g N}, 
for some finite (computable) set E', some (computable) k' G N, and d! = d/GCD(d, 
I). The set Y = {y > | Etoi, . . .x n > (Y%=i Xi ■ Wi ^ a + y ■ I)}, with a G N, can 
be described in the same way. 

We have shown that, for i = 1, . . . , m, every Y has the form EiU{ki+y-di y > 0} 
for some finite and some ki,di G N. We now give a solution to the problem 
(J™i Y — N. Let k r = min{ki, . . . ,k m } and D = LCM(d\, . . . ,d m ) (the least 
common multiple of {d±, . . . , d m }). The algorithm works as follows: for every k < k r , 
we check whether k G Y for some i = 1, . . . , m. If this is not the case, the problem 
has no solution. Otherwise, we verify whether, for every j = 0, . . . , D — 1, k r +j G Y 
for some i = 1, . . . , m. If this is the case, then we have a solution, otherwise, there 
is no solution. Note that a solution can be described in terms of an ultimately 
periodic word w = uv w , with u, v G {1, . . . m}*, such that, for every i > 0, w(i) = j 
means that a path from qi to qi in the graph G belongs to the j-th equivalence 
class [irj]~ guta - 

The above algorithm solves the periodic path problem in doubly exponential time 
in the number n of nodes of the graph G. The number of equivalence classes of the 
relation ~ gi ,g 2 over the set of paths from q\ to qi in G may be exponential in n. 
Thus, we have m sets Yi, . . . , Y m , each one associated with a relevant equivalence 
class, and m = 0(2"). Every set Y can be represented in polynomial time as 
Ei U {ki + y ■ di | y > 0} for some finite Ei, and some G N. Note that the 

cardinality of Ei is bounded by ki, ki = 0(n 2 ), and di = 0(n). The final step 
of the procedure makes fco + D membership tests with respect to some set Y, 
where fco = min{di, . . . d m }, and D = LCM(d\, . . . d m ). Each test is performed 
in 0(1). Moreover, D is bounded by do" 1 , where do = max{d\ 1 . . . d rn }, and hence 
D = 0(2 2 ). Hence, the procedure works in doubly exponential time. 

The general case of finite trees is similar. Let X be a finite almost fc-ary tree 
automaton. A path from q\ to q2 corresponds to a run of X such that the run tree 



32 



Massimo Franceschet and Angelo Montanari 



is complete and fc-ary, the root of the run tree is labeled with state q\ and the leaves 
of the run tree are labeled with state q2- A cycle is a path from q to q. The problem 
is to find, for every y > 0, a path from the initial state qo to the final state qfi„ of 
length a + y ■ I. The rest of the proof follows the same reasoning path of the proof 
for sequence automata. □ 

From Lemma 3.8, it follows that, given a S(Cfe)-automaton A, we have an algo- 
rithm to solve the problem C(A) D ITSk(E>) ^ in doubly exponential time in the 
size of A. 

Theorem 3.9 

The emptiness problem for finite tree sequence automata over UULSs is in 2EXP- 
TIME. 

Since EQLTL(EQCTL£) formulas can be elementarily converted into B(Ck) au- 
tomata, we have the desired result. 

Theorem 3.10 

(Complexity of EQLTL(EQCTL^)) 

The satisfiability problem for EQLTL(EQCTL^) over UULSs is in ELEMENTARY. 

We conclude the section by giving some examples of meaningful timing properties 
that can be expressed in (fragments of) EQLTL(EQCTL^) interpreted over UULSs. 
As a first example, consider the property 'P holds at every point of the finest layer 
T° whose distance from the origin of the layer Oo is a power of two (lo, 2 , 4 , 8o, 
and so on)' over a binary UULS. Such a property can be expressed in PLTL(CTL£) 
as follows: 

ODEXiG((Xtrue -> X true) A (-.Xtrue -> P)). 

Notice that the property 'P holds on every point 2 l , with i £ W cannot be expressed 
in QLTL. As a second example, the property 'P holds on every even point of the 
leftmost path' can be expressed in EQLTL(CTL^) as follows: 

3Q(Q A O-Q A U{Q <-> o O Q) A □(<? -> P)). 

As already pointed out, this property cannot be expressed in PLTL(CTLjJ), since 
PLTL cannot express the property 'P holds on every even point' (Wolpcr 1983). 

As in the case of DULSs, there are some natural properties of UULSs that cannot 
be easily captured in EQLTL(EQCTL£). As an example, it is not easy to express 
the property 'P holds on every even point of the finest domain T '. 

4 The specification of a high voltage station 

In this section, we exemplify the concrete use of temporalizcd logics as specifica- 
tion formalisms by providing (an excerpt of) the specification of a supervisor that 
automates the activities of a High Voltage (HV) station devoted to the end user dis- 
tribution of energy generated by power plants (Montanari 1996). We first show how 
relevant timing properties of such a system can be expressed in monadic second- 
order languages, and then we give their simpler temporalizcd logic formulations. 
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Each HV station is composed of bays, connecting generation units to the distribu- 
tion line. A bay consists of circuit breakers and insulators. They are both switches, 
but an expensive circuit breaker can interrupt current in a very short time (50 
millisecond or even less), while a cheap insulator is not able to interrupt a flowing 
current and it has a switching time of a few seconds. Let us consider a simple HV 
station consisting of two bars bl and b2 connected to different power units, a dis- 
tribution line 1, and two bays pb (parallel bay) and lb (line bay). The parallel bay 
shorts circuit between the two bars bl and b2. It consists of two insulators ipl and 
ip2, and one circuit breaker cbp. It is in the state closed if all its switches are 
closed; otherwise it is open. The line bay connects the distribution line with either 
the first bar or the second one. It consists of three insulators ilbl, ilb2, and ill, 
and one circuit breaker cbl. It is in the state closed_on_bl if ilbl, cbl, and ill 
are closed, and in the state closed_on_b2 if ilb2, cbl, and ill are closed. 

We focus on the specification of the change of the bar connected to the line from 
bl to b2. The supervisor starts its operation by closing the parallel bay, an action 
that takes about 10 seconds; then, it first closes the insulator ilb2, an action that 
takes about 5 seconds and then it opens the insulator ilbl, and action that takes 
5 seconds as well; finally, it opens the parallel bay, an action that takes other 10 
seconds. To model the behavior of the system, we use the predicates change_bl_b2, 
change_b2_bl, close_pb, open_pb, close_ilbl, open_ilbl, close_ilb2, and so on 
to denote the corresponding commands sent by the supervisor to the various devices. 
Furthermore, for every system action we identify the time granularity with respect 
to which it can be considered as an instantaneous action. The change of the bar 
takes about 30 seconds, opening and closing the parallel bay 10 seconds, switching 
insulators 5 seconds, and switching circuit breakers 50 milliseconds. Accordingly, 
we assume a 4-layered structure whose 4 layers correspond to the 4 involved time 
granularities, namely, 30secs, lOsecs, 5secs, and 50millisecs (in (Franceschet 
and Montanari 2003) we show how to tailor temporal logics for time granularity 
over downward unbounded layered structures to deal with n- layered structures). 

In the monadic second-order language, the change of the bar is described by the 
following formula, which specifies the sequence of actions taken by the supervisor: 

\/x. {T 3Qsecs (x) A changeMM{x) 3 Vl . i {x) = yi A closejpb(yi) A 

3y 2 . +1 lOsecs (2/1,2/2) A 
32/3- lo(2/2) =2/3 A closeJlb2(y 3 ) A 
3y 4 . +l. 5secs (2/3,2/4) A openSlbl{yi) A 
3J/5- +l5secs (2/4,2/5) A 
3J/6- lo(2/6) = 2/5 A open-pb{y e )), 

where the definable predicate +l g (x, y) states that both x and y belong to the layer 
g and y is the successor x with respect to g. Such a condition can be expressed in 
temporalized logic in a much more compact and readable way: 

G (change JblJ>2 EXodose_p& A EXiXodose_zZt>2 A 
EXiXiopenJZbl A EX2open_p6) 
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As for the compound operation close_pb, let us assume that the supervisor starts 
in parallel the closure of the circuit breaker, which is completed in 50 milliseconds, 
and of the first insulator, that takes about 5 seconds; then, once the first insulator is 
closed, it closes the second one. Such an operation can be specified by the following 
classical formula: 

Vx. (T 10secs (x) A closejpb(x) — » 3j/i. lo(x) = yi A closeJpl(yi) A 

3y2- 10(2/1,2/2) A close.cbp{y 2 ) A 
3y 3 - +l5se CS (2/1,2/3) A closeJp2(y 3 ), 

while its temporalized version is structured as follows: 

G( (EX-odose-pb — > EXo(EXo (close Jpl A ~K.odosejzpb) A EXicZose_zp2)) A 
(EXicZose_p6 — > EXi(EXo(cZose_ipl A XocZose_cp6) A EXicZose_zp2)) A 
(EX2cZose_p& — ► EX2(EXo(cZoseJpl A XocZose_cp6) A EXicZoseJp2))). 

5 Conclusions and future work 

In this paper, we provided the monadic second-order theories of DULSs and UULSs 
with expressively complete and elementarily dccidablc temporal logic counterparts. 
To this end, we defined temporalized automata, which can be seen as the automaton- 
theoretic counterpart of temporalized logics, and showed that relevant properties, 
such as closure under Boolean operations, decidability, and expressive equivalence 
with respect to temporal logics, transfer from component automata to temporalized 
ones. Then, we exploited temporalized automata to successfully solve the problem 
of finding the temporal logic counterparts of the given theories of time granularity. 

As a matter of fact, some forms of automaton combination, which differ from 
tcmporalization in various respects, have been proposed in the literature to increase 
the expressive power of temporal logics. As an example, extensions of PLTL with 
connectives defined by means of finite automata over w-strings are investigated 
in (Vardi and Wolper 1994). To gain the expressive power of the full monadic 
second-order theory of (ui, <), Vardi and Wolpcr's Extended Temporal Logic (ETL) 
replaces the until operator of PLTL by an infinite bunch of automata connectives, 
that is, ETL allows formulas to occur as arguments of an automaton connective 
(as many formulas as the symbols of the automaton alphabet are). Given the well- 
known correspondence between formulas and automata, the application of automata 
connectives to formulas can be viewed as a form of automata combination. An 
extension of CTL* that substitutes ETL operators for PLTL ones is given in (Dam 
1994). However, the switch from PLTL to ETL does not involve any change in 
the domain of interpretation (^-structures in the first case, binary trees in the 
latter). On the contrary, in the case of temporalized automata/logics, component 
automata/temporal logics refer to different temporal structures, and thus their 
combination is paired with a combination of the underlying temporal structures. 

We are developing our research on temporalized logics and automata for time 
granularity in various directions. First of all, we are trying to improve the complex- 
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ity bound for the satisfiability problem for EQLTL(EQCTL^) over UULSs. Second, 
we are investigating the relationships between temporalized and classical automata. 
On the one hand, the languages recognized by temporalized automata are struc- 
turally different from those recognized by classical automata, e.g., Biichi (Biichi) 
automata recognize infinite strings of infinite strings. On the other hand, this fact 
does not imply that language problems for temporalized automata cannot be re- 
duced to the corresponding problems for classical automata. As an example, the 
emptiness problem for Biichi (Biichi) automata can actually be reduced to the 
emptiness problem for Biichi automata. We are exploring the possibility of defining 
similar reductions for more complex temporalized automata. Finally, we are explor- 
ing the possibility of extending our correspondence results to other forms of logic 
combination, such as independent combination and join (Gabbay et al. 2003). 
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